For those of you who know me, Henry was my basset hound, and the fictitious name used during (ahem) special research. I'm a former intelligence officer, a professional analyst, and a blogger since 2004 writing about my experiences on the journey --information security, cyber intelligence, education, thoughts. Some love my writings others hate it. If you like it, follow me!

Saturday, August 09, 2014

When I asked someone about what the marketing hook at Black Hat was this
year he simply replied, “Apparently to scare the $#!^ out of everyone!” I couldn’t help but laugh but having been to
those events before, sounds like business as usual but I doubt it was any less fun this year. :) Back in the lab, the past 72 hours has been
incredibly busy chasing down things that should really scare you, if you're not prepared for it!

About mid-week, one of our honeypot email recipients received
several spear phish attempts in rapid succession. This particular honeypot is one that gets spear
phished in more-or-less a, programmatic manner so when we had seen such a quick
burst of activity, it caught our attention.
All three samples are currently being reversed by the lab’s
analysts but of them, two really caught our attention!

The first was a very complex piece of malware that we’ve yet
to identify completely. A look at the
IDA map, looks like a flowchart for the launch sequence for the space
shuttle! A complex executable with lots
of interesting loops and calls with many layers of obfuscation and encryption;
this one is going to take a bit to reverse but it should provide for
interesting discussion among the Red Sky analysts! The most interesting attribute of this nasty
bug is that it appears to be operating system agnostic, due in part to its
unique exploit attributes, with the ability to infect most modern systems. We’ll see if that is true. With time being
limited, we switched gears and took a look at the second piece of malware we
found interesting.

When examining this second piece of malware, we identified
the C2 node and ran it through Threat Recon.
Immediately, the results came back and we knew we had something very
interesting on our hands. Taking the C2
as the pivot in our analysis, with Threat Recon we were able to identify an
additional 3 IP addresses and over a hundred new indicators in a matter of
minutes, with context that helped identify the nastiness we were seeing. As someone who’s been in this game a long
time, I think that’s pretty damn cool to get results that fast! So what did
we find and why is it
significant?

If you’re in the banking sector, the Win32.Banload Trojan
a.k.a. Ikarus, may conjure up some bad memories. First seen as early as 2008, perhaps
earlier, the Banload Trojan is associated with thea Win32/Banker Trojan family;
Trojans, notorious for stealing banking credentials. In all, our original pivot point and Threat
Recon helped identify several variants of banking Trojans including Malgent,
Camec, Orsam!rts being served up from more than two dozen domains. All that analysis and context is good and
should keep analysts busy for a bit, but why is this significant?

Wapack Labs has been following adversaries targeting
political dissidents for some time now.
By doing this, we’ve been able to capture malware samples that have
never been seen in the wild, this alone is helpful in identifying new variants
of malware quickly and pushing that analysis to the membership for mitigation;
however, by examining the targets themselves, another story emerges.

It’s not surprising that malware used to steal banking
credentials, even older variants, are being used to target individuals,
particularly those who are outspoken towards governments and high profile
political causes. Many of these dissident
groups, and those running them, collect millions in donations for the causes
they support. Charitable organizations
and non-profits may be perceived as “soft targets” with weak defenses and the
disruption of money flowing from these groups could disrupt or even halt the
ability of the cause to effect the changes they seek. By striking at the bottom lines of some of
these organizations, adversaries may be able to silence their voices and lessen
their effectiveness. Besides, the
disruption of money, compromising the private databases and correspondents of
political action groups could be a treasure-trove of information in identifying
other targets for future attacks or used as criminal or political leverage.

What we’ve come to realize over the past year or so is that
the soft target paradigm is one that security teams should be examining much
closer. The low effort and high return
on investment is a value propositiontoolucrative for adversaries to ignore. For us on the defense, the value proposition
is equally as high. From our research, targets with inadequate defenses make
excellent proving grounds for new malware development without risking leaving
breadcrumbs on Virus Total for the world to examine. Additionally, the wealth of information you
capture allows you to develop new tools to systematically process all the
pivoted information into actionable information to protect yourself. This is why Threat Recon was such an
important tool for us to build and offer to the security community – it saves
time and returns quantified and qualified actionable information very quickly. As we continue to collect from these soft
targets, Threat Recon and the results it provides will only become that much
more valuable

BT BT

The community of Threat Recon users continues to grow and
the feedback remains very positive. This week, we’ve heard from several early
adopters as to how they’re using Threat Recon in their enterprises and we’re
starting to hear the creative ways other cyber security teams have developed
tools around Threat Recon’s API. One
example is the integration of the tool into CRITS and another is creating a
Java application to do bulk queries. If
you’re one of those working on your own tools using the API, we would love to
hear from you, even if you have questions feel free to reach out to us directly!

To that point, this past week, the lab has been working on
our own application that we will be publishing on the Threat Recon GitHub that
will included the ability to query indicators in bulk against the API. Pizza Cat, as we call it, is a parsing engine
that will be available to those who want to use Threat Recon but may not have
the expertise on staff to develop their own tools, or have the time. If you’re interested in trying it, please
drop mean email at rgamache@wapacklabs.com or go to https://www.threatrecon.co

Next week, Jeff should be back to the blog. With two weeks to clear his mind, I’m sure
he’ll have plenty to say. Thanks for the
audience the past two weeks!